HIPAA HIO-201 Certified HIPAA Professional Exam Practice Test

Yes - the hospital's actions satisfy the "safe harbor" method of de-identification.

No - a person with appropriate knowledge and experience must determine that the information that remains can’t identify an individual.

No - authorization to release the information is still required by HIPAA

No - to satisfy "safe harbor" the hospital must also have no knowledge of a way to use the remaining data to identify an individual.

Yes - medical researchers are covered entities and "research" is considered a part of "treatment" by HIPAA.

The protected health information must be removed from the information. A substitute "key" may be supplied to allow re-identification, if needed.

Limit the information to coverage, dates of treatment, and payment amounts to avoid collecting any protected data.

Nothing. An oversight agency has the right to access this information without prior authorization.

Request that the insurance commissioner ask for an exception from HIPAA from the Department of Health and Human Services.

A written authorization is required from the patient.

As a response to a health care claim status request

As a health care claim payment advice

Electronic funds transfer

As a request for health care claims status

Request for the psychotherapy notes of a patient

Data element

Data segment

Transaction set

Functional envelope

Interchange envelope

It can be used for the payment of provider claims.

It can be used to pay for insurance products (either individual or group premiums).

It can function solely as a remittance advice.

Electronic Funds Transfer is fully supported.

This transaction can carry either summary or detailed remittance information.

Eligibility status

Benefit maximums

Participating providers

Deductibles & exclusions

Co-pay amounts

Security Incident Procedures

Integrity

Person or Entity Authentication

Assigned Security Responsibility

Business Associate Contracts and other Arrangements

Transmitted to a business associate for payment purposes only.

Stored on a smart card only by the patient.

Created or received by a credit company that provided a personal loan for surgical procedures.

Created or received by a health care clearinghouse for claim processing.

Requires the use of biometrics for access to records.

Requires PKI for the provider and the patient.

Is exempt from HIPAA regulations.

Is a not-for-profit operation.

Identifies all hospitals and health care organizations.

Performs the functions of format translation and data conversion.

Security Awareness and Training

Security Incident Procedure

Information Access Management

Security Management Process

Contingency Plan

Security Management Process

Device and Media Controls

Information Access Management

Facility Access Controls

Workstation Security

Establishing an orderly hierarchy where HIPAA applies, then other Federal law, then State law.

Defining privacy to be a national interest that is best protected by Federal law

Allowing State privacy laws to provide a cumulative effect lower than HIPAA.

Mandating that Federal laws preempt State laws regarding privacy.

Establishing a "floor" for privacy protection.

Disaster Recovery Plan

Data Backup Plan

Facility Access Controls

Security Incident Procedures

Emergency Mode Operations Plan

270

276

278

280

834

$1,000,000 per person per violation of a single standard for a calendar year.

$10 per person per violation of a single standard for a calendar year.

$25,000 per person per violation of a single standard for a calendar year.

$2,500 per person per violation of a single standard for a calendar year.

$1000 per person per violation of a single standard for a calendar year.

Covered entities that violate the standards or implementation specifications will be subjected to civil penalties of up to $100 per violation except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement

Criminal penalties for non-compliance are fines up to $65,000 and one year in prison for each requirement or prohibition violated

Criminal penalties for willful violation are fines up to $50,000 and one year in prison for each requirement or prohibition violated.

Criminal penalties for violations committed under “false pretenses” are fines up to $100,000 and five years in prison for each requirement or prohibition violated

Criminal penalties for violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm are fines up to $250,000 and ten years in prison for each requirement or prohibition violated

Creation and modification of health information during and after an emergency.

Integrity of health information during and after an emergency.

Accountability of health information during and after an emergency.

Vulnerability of health information during and after an emergency.

Non-repudiation of the entity.

Request that the patient sign the lab's Notice of Privacy Practices.

Do nothing more - the activity is covered by the doctor's Notice of Privacy Practices.

Obtain a specific authorization from the patient

Obtain a specific authorization from the doctor.

Verify that the doctor's Notice of Privacy Practices has not expired.

Provide the individual with a Notice of Privacy Practices that describes the use of PHI.

Obtain a written authorization for each and every TPO event.

Obtain a written authorization for any disclosure or use of PHI other than for the purposes of TPO.

Provide access to the PHI that it maintains to the individual and make reasonable efforts to correct possible errors when requested by the individual.

Establish procedures to receive complaints relating to the handling of PHI.

Security Awareness Training

Workforce Security

Facility Access Controls

Workstation Use

Workstation Security

Situations where the marketing is for a drug or treatment could improve the health of that individual.

Situations where the patient has already signed the covered entity's Notice of Privacy Practices.

A face-to-face encounter with the sales person of a company that provides drug samples

A communication involving a promotional gift of nominal value.

The situation where the patient has signed the Notice of Privacy Practices of the marketer.

Establish a business partner relationship with the other provider.

Obtain a signed authorization from the patient to cover the disclosure.

Make a copy of the signed Notice available to the other provider.

Obtain the patients signature on the second provider's Notice of Privacy Practices.

Do nothing more -the Notice of Privacy Practices covers treatment activities.

PKI requirements for hospitals and health care providers.

Encryption algorithms that must be supported by hospitals and health care providers.

Fraud and abuse in the health care system and ways to eliminate the same.

Guaranteed health insurance coverage to workers and their families when they change employers.

The use of strong authentication technology that must be supported by hospitals and health care providers.

A coveted entity must change its policies and procedures to complywith HIPPPregulations, standards, and implementation specifications.

A covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the regulations.

A covered entity must provide a process for individuals to make complaints concerning privacy issues.

A covered entity must document all complaints received regarding privacy issues.

The Privacy Rule requires that the covered entity has a documented security policy.